Analysis
-
max time kernel
15s -
max time network
21s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
22-05-2024 18:54
Behavioral task
behavioral1
Sample
Rice Loader.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Rice Loader.exe
Resource
win10v2004-20240508-en
General
-
Target
Rice Loader.exe
-
Size
1.7MB
-
MD5
eae85da30f643913cc1ba962a1722abe
-
SHA1
2df08a292d733d7d79aea9d7ae079c17964ec44b
-
SHA256
b2c7627cc1d7a6e016fbe97d2175a7e91240dba49d27f4fc7d43efbb2b9ca86f
-
SHA512
45d5df0d6e93658f7cd8b1efbb08fbef5fd27fbb675664820e1662443c7a55e678cb9a499ca96051954639ab52aceb9a812421146b21e171cc5a3dc51bcd7a85
-
SSDEEP
49152:UbA30N2Y6CbYeb0qVOOYYtz7Q/+XZZ8csL:UbZ6CbfaOffXq
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule C:\bridgeRefdll\Cominto.exe dcrat behavioral1/memory/3364-14-0x0000000000AE0000-0x0000000000C54000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
Processes:
Cominto.exepid process 3364 Cominto.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
Rice Loader.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings Rice Loader.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Cominto.exedescription pid process Token: SeDebugPrivilege 3364 Cominto.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Rice Loader.exeWScript.execmd.exedescription pid process target process PID 3200 wrote to memory of 5092 3200 Rice Loader.exe WScript.exe PID 3200 wrote to memory of 5092 3200 Rice Loader.exe WScript.exe PID 3200 wrote to memory of 5092 3200 Rice Loader.exe WScript.exe PID 5092 wrote to memory of 4948 5092 WScript.exe cmd.exe PID 5092 wrote to memory of 4948 5092 WScript.exe cmd.exe PID 5092 wrote to memory of 4948 5092 WScript.exe cmd.exe PID 4948 wrote to memory of 3364 4948 cmd.exe Cominto.exe PID 4948 wrote to memory of 3364 4948 cmd.exe Cominto.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Rice Loader.exe"C:\Users\Admin\AppData\Local\Temp\Rice Loader.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeRefdll\Rc9TGyLvla1DCQfA.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\bridgeRefdll\7SErw3QqG8DR33ZHNVPlxU94MWk.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\bridgeRefdll\Cominto.exe"C:\bridgeRefdll\Cominto.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\bridgeRefdll\7SErw3QqG8DR33ZHNVPlxU94MWk.batFilesize
29B
MD515618516fd39d3d2819d6a0c6b142a0c
SHA11dd8845bf120a1f0029a38937b84ff041c6fd7e7
SHA2565c6f33da33e498e58632dfab994850eb80c21ba77fc03ad9687beae7b3c2529b
SHA512ef4347ac6cfd4db86691c23a6e24555fa4237161a43bf8cbbc20af1682b977e3c3b8f6082c43e227f43ba246d862a3d1532a1e0b4ca96fa3d0e97c74f943c900
-
C:\bridgeRefdll\Cominto.exeFilesize
1.4MB
MD52a7ba873c3ed2a5f4a916a7beb6d5159
SHA1d6b7b52bfc1ddf88955905391820df5c498caaaf
SHA256647de545941a931ef320c3f5e1ee70cb0d9acf1dcbdc20d9606f2b9dae4623f7
SHA512f363372b9aefc87d3404b120bc7128550142adbd741838d23ec813ec159d971b4d0d5b8ccbbe89519aa7fa858cc0ce8ef97c3e50d0170dba763f216c51aca496
-
C:\bridgeRefdll\Rc9TGyLvla1DCQfA.vbeFilesize
216B
MD54e39ee432ff2779f1b8222b52b0f49a2
SHA1c9823817b7a8346f252bac98851eb2c7b0ddfdd3
SHA256c181d4e95af2da2c5f5d17358fcfd746718a758e99be98b18919ee6786622f34
SHA51202b058d78baf6d8a1e2616929aca836f28ec323b0aaaddcc4aba42ed99d96c868fd657aab46cd305d6108bf97675962d8f8c97fc67b4d1c80077dce9524ac2ed
-
memory/3364-14-0x0000000000AE0000-0x0000000000C54000-memory.dmpFilesize
1.5MB
-
memory/3364-15-0x0000000001600000-0x000000000160E000-memory.dmpFilesize
56KB